From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: Re: [PATCH v3] kernel.h: Skip single-eval logic on literals in min()/max() Date: Tue, 13 Mar 2018 15:14:34 -0700 Message-ID: References: <20180309200536.GA5670@beast> <20180309160719.154a3158e2d8ee56e43a918f@linux-foundation.org> <20180309163241.a421e216999bd0b1f43a64c2@linux-foundation.org> <20180312155524.b421f07d7f08f24c57bd1887@linux-foundation.org> <20180313140248.7fdb0d0cee044cd7c7fc7b93@linux-foundation.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Cc: Linus Torvalds , Linux Kernel Mailing List , Josh Poimboeuf , Rasmus Villemoes , "Gustavo A. R. Silva" , "Tobin C. Harding" , Steven Rostedt , Jonathan Corbet , Chris Mason , Josef Bacik , David Sterba , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Masahiro Yamada , Borislav Petkov , Randy Dunlap < To: Andrew Morton Return-path: In-Reply-To: <20180313140248.7fdb0d0cee044cd7c7fc7b93@linux-foundation.org> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Tue, Mar 13, 2018 at 2:02 PM, Andrew Morton wrote: > On Mon, 12 Mar 2018 21:28:57 -0700 Kees Cook wrot= e: > >> On Mon, Mar 12, 2018 at 4:57 PM, Linus Torvalds >> wrote: >> > On Mon, Mar 12, 2018 at 3:55 PM, Andrew Morton >> > wrote: >> >> >> >> Replacing the __builtin_choose_expr() with ?: works of course. >> > >> > Hmm. That sounds like the right thing to do. We were so myopically >> > staring at the __builtin_choose_expr() problem that we overlooked the >> > obvious solution. >> > >> > Using __builtin_constant_p() together with a ?: is in fact our common >> > pattern, so that should be fine. The only real reason to use >> > __builtin_choose_expr() is if you want to get the *type* to vary >> > depending on which side you choose, but that's not an issue for >> > min/max. >> >> This doesn't solve it for -Wvla, unfortunately. That was the point of >> Josh's original suggestion of __builtin_choose_expr(). >> >> Try building with KCFLAGS=3D-Wval and checking net/ipv6/proc.c: >> >> net/ipv6/proc.c: In function =E2=80=98snmp6_seq_show_item=E2=80=99: >> net/ipv6/proc.c:198:2: warning: ISO C90 forbids array =E2=80=98buff=E2= =80=99 whose >> size can=E2=80=99t be evaluated [-Wvla] >> unsigned long buff[SNMP_MIB_MAX]; >> ^~~~~~~~ > > PITA. Didn't we once have a different way of detecting VLAs? Some > post-compilation asm parser, iirc. > > I suppose the world wouldn't end if we had a gcc version ifdef in > kernel.h. We'll get to remove it in, oh, ten years. For fixing only 6 VLAs, we don't need all this effort. When it looked like we could get away with just a "better" max(), sure. ;) I'll send a "const_max()" which will refuse to work on non-constant-values (so it doesn't get accidentally used on variables that could be exposed to double-evaluation), and will work for stack array declarations (to avoid the overly-sensitive -Wvla checks). -Kees --=20 Kees Cook Pixel Security